What is Queensland’s data breach scheme?

If a Queensland government agency has a data breach involving personal information, they may have notification obligations under the Information Privacy Act 2009 (IP Act).

This is called the mandatory notification of data breach scheme, or MNDB scheme.

Local councils have until 1 July 2026 to start complying with the MNDB scheme.

When does an agency have to notify?

If an agency decides that the data breach is an eligible data breach it must notify the people impacted by it and the Office of the Information Commissioner (OIC). The agency does not have to notify if an exemption applies.

An eligible data breach happens when personal information is:

  • accessed or disclosed without authorisation—or is lost and the agency thinks this is likely to happen; and
  • the access or disclosure is likely to result in serious harm.

What is serious harm?

For harm to be serious, it has to have a real and substantial negative impact on the individual. This could include:

  • identity theft and financial loss through fraud, including negative effects on a person’s finance or credit rating
  • a risk of, or actual, physical or psychological harm, such as by an abusive ex-partner
  • emotional harm; or
  • serious harm to an individual’s reputation.

How will you be notified if there is an eligible data breach involving your personal information?

If an agency decides they have had an eligible data breach, it must notify individuals directly as soon as it is practical to do so, unless an exemption applies.

If the agency cannot notify individuals directly, it must publish a notification on its website and notify the OIC, who will also publish the notice on its website. The notification must remain online for at least 12 months.

The notification must include:

  • The name of the agency and if more than one agency was affected by the eligible data breach.
  • Contact details of the agency or the nominated person an individual can contact in relation to the eligible data breach.
  • The date the eligible data breach occurred.
  • A description of the breach, including the type of data breach, unauthorised access, unauthorised disclosure, or loss of information.
  • How the breach occurred.
  • A description of the personal information subject to the breach, for example, financial information, identity (Medicare number, passport number).
  • Recommendations about the steps an individual should take in response to the breach.
  • Information about how to make a privacy complaint to the agency.

Notification exemptions

An agency does not have to notify individuals if one of the exemptions applies.

For example, if an agency acts quickly to mitigate an eligible data breach, meaning that is no longer likely to result in serious harm, the agency is exempt from having to notify individuals.

Other exemptions include where notification could:

  • lead to a serious risk of harm to an individual’s health or safety
  • compromise an agency’s cybersecurity or lead to further data breaches; or
  • prejudice investigations and proceedings.

There are also exemptions where more than one agency is involved, and where notification would be inconsistent with the confidentiality or secrecy provisions in other laws.